Cyber Insurance and Post-Breach Services: A Normative Analysis

References

• Abbring JH, Chiappori PA, Zavadil T (2008) Better safe than sorry? Ex ante and ex post moral hazard in dynamic insurance data. Discussion Paper No. 08-075/3, Tinbergen Institute, Amsterdam.Google Scholar
• Arrow KJ (1963) Uncertainty and the welfare economics of medical care. Amer. Econom. Rev. 53:941–973.Google Scholar
• Atici M (2022) Paradigm shift in cybersecurity and the emergence of Enterprise Forensics—A chat with Binalyze’s founder. Accessed December 23, 2023, https://medium.com/birds-view/paradigm-shift-in-cybersecurity-and-the-emergence-of-enterprise-forensics-a-chat-with-binalyzes-4467dd9ef4ab.Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Google Scholar
• Bandyopadhyay T, Mookerjee VS, Rao RC (2008) Why IT managers don’t go for cyber-insurance products. Commun. ACM. 52(11):68–73.Crossref, Google Scholar
• Bodin LD, Gordon LA, Loeb MP, Wang A (2018) Cybersecurity insurance and risk-sharing. J. Account. Public Policy 37:527–544.Crossref, Google Scholar
• Bogetic Z, Heffley D (1993) Reforming healthcare: A case for stay well health insurance. Policy Research working papers no. WPS 1181. World Bank, Washington, DC.Google Scholar
• Bohme R (2005) Cyber-insurance revisited. Workshop on the Economics of Information Security (WEIS), Cambridge, MA.Google Scholar
• Bohme R, Kataria G (2006) Models and measures for correlation in cyber-insurance. Workshop on the Economics of Information Security (WEIS), Cambridge, UK.Google Scholar
• Bohme R, Moore T (2009) The iterated weakest link: A model of adaptive security investment. Workshop on the Economics of Information Security (WEIS), London.Google Scholar
• Bolot J, Lelarge M (2008) Cyber insurance as an incentive for internet security. The Seventh Workshop on Economics of Information Security, Hanover, NH.Google Scholar
• Burrows J (2017) Escaping dark age cybersecurity thinking. Medium (February 1), https://medium.com/@brons/escaping-dark-age-cybersecurity-thinking-3e7b0c74bda8.Google Scholar
• Cavusoglu H, Mishra B, Raghunathan S (2005) The value of intrusion detection systems in information technology security architecture. Inform. Systems Res. 16(1):28–46.Link, Google Scholar
• Chubb Business Insurance (2022) Cyber case studies for SMEs. Accessed December 23, 2023, https://www.chubb.com/au-en/businesses/resources/cyber-case-studies-for-smes.html.Google Scholar
• Cohn Y, Kelley KH (2017) Ten questions every board should ask in overseeing cyber risks. Harvard Law School Forum on Corporate Governance. Accessed December 23, 2023, https://corpgov.law.harvard.edu/2017/06/27/ten-questions-every-board-should-ask-in-overseeing-cyber-risks/.Google Scholar
• Crew M (1969) Coinsurance and the welfare economics of medical care. Amer. Econom. Rev. 59(5):906–908.Google Scholar
• Delman M (2021) Cyber insurance may be making ransomware worse, here’s why. Accessed December 23, 2023, https://blog.morphisec.com/cyber-insurance-may-be-making-ransomware-worse-heres-why.Google Scholar
• Doherty NA, Schlesinger H (1983) The optimal deductible for an insurance policy when initial wealth is random. J. Bus. 56(4):555–565.Crossref, Google Scholar
• Dou W, Tang W, Wu X, Qi L, Xu X, Zhang X, Hu C (2020) An insurance theory based optimal cyber-insurance contract. Inform. Sci. 527:576–589.Crossref, Google Scholar
• Ehrlich I, Becker GS (1972) Market insurance, self-insurance, and self-protection. J. Political Econom. 80(4):623–648.Crossref, Google Scholar
• Elliott K, Massacci F, Williams J (2016) Action, inaction, trust, and cybersecurity’s common property problem. IEEE Secur. Priv. 14(1):82–86.Crossref, Google Scholar
• Evans S (2019) Capital one data breach puts $400m insurance tower on-watch. Accessed, December 23, 2023, https://www.reinsurancene.ws/capital-one-data-breach-puts-400m-insurance-tower-on-watch/.Google Scholar
• Feldman R, Dowd B, Leitz S, Blewett LA (1997) The effect of premiums on a small firm’s decision to offer health insurance. J. Hum. Resource 32(4):635–658.Crossref, Google Scholar
• FERMA (2018) Preparing for cyber insurance (Federation of European Risk Management Associations, Brussels). Accessed, December 23, 2023, https://www.ferma.eu/app/uploads/2019/02/preparing-for-cyber-insurance-web-04-10-2018.pdf.Google Scholar
• Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inf. Syst. Secur. 5(4):438–457.Crossref, Google Scholar
• Gordon LA, Loeb MP, Lucyshyn W (2003b) Sharing information on computer system security: An economic analysis. J. Account. Public Policy. 22(6):461–485.Crossref, Google Scholar
• Gordon LA, Loeb MP, Sohail T (2003a) A framework for using insurance for cyber-risk management. Commun. ACM. 46(3):81–85.Crossref, Google Scholar
• Gordon LA, Loeb MP, Lucyshyn W, Sohail T (2006) The impact of the sarbanes-oxley act on the corporate disclosures of information security activities. J. Account. Public Policy. 25:503–530.Crossref, Google Scholar
• Gould JP (1969) The expected utility hypothesis and the selection of optimal deductibles for a given insurance policy. J. Bus. 42(2):143–151.Crossref, Google Scholar
• Gramig B, Horan R, Walf C (2005) A model of incentive compatibility under moral hazard in lovestock disease outbreak response. American Agricultural Econom. Assoc. 2005 Annual Meeting (AAEA, Milwaukee, WI), 1–21.Google Scholar
• Heffley DR, Miceli TJ (1998) The economics of incentive-based health care plans. J. Risk Insur. 65(3):445–465.Crossref, Google Scholar
• Higgins KJ (2014) Cyberinsurance resurges in the wake of mega-breaches. Accessed December 23, 2023, http://www.darkreading.com/perimeter/cyberinsurance-resurges-in-the-wake-of-mega-breaches/d/d-id/1316306.Google Scholar
• Hofmann A (2005) Internalizing externalities of loss-prevention through insurance monopoly: An analysis of interdependent consumer risks. Working Papers on Risk and Insurance, Hamburg University, Hamburg, Germany.Google Scholar
• Huberman G, Mayers D, Smith CW Jr (1983) Optimal insurance policy indemnity schedules. Bell J. Econ. 14(2):415–426.Google Scholar
• Hui KL, Hui W, Yue WT (2012) Information security outsourcing with system interdependency and mandatory security requirement. J. Management Inform. Systems 29(3):117–156.Crossref, Google Scholar
• Hui KL, Kim SH, Wang QH (2017) Cybercrime deterrence and international legislation: Evidence from distributed denial of service attacks. Management Inform. Systems Q. 41(2):497–523.Crossref, Google Scholar
• Hui KL, Ke PF, Yao Y, Yue WT (2019) Liability-based contracts in information security outsourcing. Inform. Systems Res. 30(2):411–429.Link, Google Scholar
• Hurtaud S, Flamand T, De La Vaissiere L, Hounka A (2015) Cyber insurance as one element of the cyber risk management strategy. Inside (7): 92–97.Google Scholar
• Hussain NZ, Cohn C (2020) Ransomware attacks on the rise even as cyber insurers scale back. Reuters (December 16), https://www.reuters.com/article/cyber-insurance/ransomware-attacks-on-the-rise-even-as-cyber-insurers-scale-back-idINL8N2IW3VS.Google Scholar
• Kaplan S, Garrick J (1981) On the quantitative definition of risk. Risk Anal. 1(1):11–27.Crossref, Google Scholar
• Katyal NK (2001) Criminal law in cyberspace. Univ. Pa. Law Rev. 149(4):1003–1094.Crossref, Google Scholar
• Kumar RL, Park S, Subramaniam C (2008) Understanding the value of countermeasure portfolios in information systems security. J. Management Inform. Systems 25(2):241–279.Crossref, Google Scholar
• Kunreuther H, Heal G (2003) Interdependent security. J. Risk Uncertain. 26(2/3):231–249.Crossref, Google Scholar
• Laux J, Kerman C, Coakley S (2020) US cyber market update – 2019 US cyber insurance profits and performance. AON. Accessed December 23, 2023, http://thoughtleadership.aonbenfield.com//Documents/202006-us-cyber-market-update.pdf.Google Scholar
• Lee CH, Geng X, Raghunathan S (2013) Contracting information security in the presence of double moral hazard. Inform. Systems Res. 24(2):295–311.Link, Google Scholar
• Lee CH, Geng X, Raghunathan S (2016) Mandatory standards and organizational information security. Inform. Systems Res. 27(1):70–86.Google Scholar
• Lerner M (2019) Average costs of cyber liability insurance studied. Business Insurance (September 19), https://www.businessinsurance.com/article/20190919/NEWS06/912330752/Average-costs-of-cyber-liability-insurance-studied.Google Scholar
• Loch KD, Carr HH, Warkentin ME (1992) Threats to information systems: Today’s reality, yesterday’s understanding. Management Inform. Systems Q. 16(2):173–186.Crossref, Google Scholar
• Marotta A, Martinelli F, Nanni S, Orlando A, Yautsiukhin A (2017) Cyber-insurance survey. Comput. Sci. Rev. 24(C):35–61.Crossref, Google Scholar
• Merrey P, Smith M, Martindale M, Kokins A (2017) Seizing the cyber insurance opportunity: Rethinking insurers’ strategies and structures in the digital age. KPMG International. Accessed December 23, 2023, https://assets.kpmg/content/dam/kpmg/xx/pdf/2017/07/cyber-insurance-report.pdf.Google Scholar
• Mitra S, Ransbotham S (2015) Information disclosure and the diffusion of information security attacks. Inform. Systems. Res. 26(3):563–584.Link, Google Scholar
• Mookerjee V, Mookerjee R, Bensoussan A, Yue WT (2011) When hackers talk: Managing information security under variable attack rates and knowledge dissemination. Inform. Systems Res. 22(3):606–623.Link, Google Scholar
• Newman CA (2016) Target’s cyber insurance: A $100 million policy vs. $300 million (so far) in costs. Accessed December 23, 2023, https://www.pbwt.com/data-security-law-blog/targets-cyber-insurance-a-100-million-policy-vs-300-million-so-far-in-costs.Google Scholar
• OECD (2017) Enhancing the Role of Insurance in Cyber Risk Management (OECD Publishing, Paris).Crossref, Google Scholar
• Ogut H, Raghunathan S, Menon N (2011) Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss and observability of self-protection. Risk Anal. 31(3):497–512.Crossref, Google Scholar
• Otto G (2019) What capital one’s cybersecurity team did (and did not) get right. Accessed December 23, 2023, https://www.cyberscoop.com/capital-one-cybersecurity-data-breach-what-went-wrong/.Google Scholar
• Pal R, Golubchik L, Psounis K, Hui P (2014) Will cyber-insurance improve network security? A market analysis. Proc. Annual IEEE Internat. Conf. Comput. Comm. (IEEE, Piscataway, NJ), 235–243.Google Scholar
• Pashigian BP, Schkade LL, Menefee GH (1966) The selection of an optimal deductible for a given insurance policy. J. Bus. 39(1):35–44.Crossref, Google Scholar
• Pauly MV (1968) The economics of moral hazard: Comment. Amer. Econom. Rev. 58(3):531–537.Google Scholar
• Phelps CE, Newhouse JP (1974) Coinsurance, the price of time, and the demand for medical services. Rev. Econom. Statist. 56(3):334–342.Crossref, Google Scholar
• Png IPL, Wang Q-H (2009) Inforamtion security: Facilitating user precautions vis-à-vis enforcement against attackers. J. Management Inform. Systems 26(2):97–121.Crossref, Google Scholar
• Png IPL, Wang CY, Wang QH (2008) The deterrent and displacement effects of information security enforcement: International evidence. J. Management Inform. Systems 25(2):125–144.Crossref, Google Scholar
• PwC (2014) Cybersecurity challenges in an interconnected world: Key findings from the global state of information security survey 2015. Accessed December 23, 2023, pwc.com.Google Scholar
• Romanosky S, Ablon L, Kuehn A, Jones T (2019) Content analysis of cyber insurance policies: How do carriers price cyber risk. J. Cybersecurity 5(1):1–19.Crossref, Google Scholar
• Rothschild M, Stiglitz J (1976) Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. Quart. J. Econom. 90(4):629–649.Crossref, Google Scholar
• Rowell D, Connelly LB (2012) A history of the term ‘moral hazard’. J. Risk Insurance 79(4):1051–1075.Crossref, Google Scholar
• Skariachan D, Finkle J (2014) Target shares recover after reassurance on data breach impact. Reuters (February 26), https://www.reuters.com/article/us-target-results-idUSBREA1P0WC20140226.Google Scholar
• Surane J, Nguyen L (2019) Capital one breach clouds technology strategy; puts $400M cyber insurance in play. Accessed December 23, 2023, https://www.insurancejournal.com/news/national/2019/08/01/534388.htm.Google Scholar
• Temin D (2013) Target’s worst PR nightmare: 7 lessons from target’s well-meant but flawed crisis response. Accessed December 23, 2023, https://www.forbes.com/sites/daviatemin/2013/12/30/targets-worst-pr-nightmare-7-lessons-from-targets-well-meant-but-flawed-crisis-response/#19bca19543cf.Google Scholar
• Tham I, Baharudin H (2018) Tardy responses, security failings led to SingHealth breach. Accessed December 23, 2023, https://www.straitstimes.com/singapore/tardy-responses-security-failings-led-to-singhealth-breach.Google Scholar
• Trice C, Rupawala H (2020) Cyber insurance sees steady growth despite sales, retention challenges. S&P global market intelligence. Accessed December 23, 2023, https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cyber-insurance-sees-steady-growth-despite-sales-retention-challenges-58359212.Google Scholar
• van der Wees PJ, Wammes JJG, Westert GP, Jeurissen PPT (2016) The relationship between the scope of essential health benefits and statutory financing: An international comparison across eight European countries. Internat. J. Health Policy Management 5(1):13–22.Crossref, Google Scholar
• Verified Market Research (2020) Cyber insurance market worth $32.47 billion, globally, by 2027 at 23.76% CAGR: Verified market research. Accessed December 23, 2023, https://www.prnewswire.com/news-releases/cyber-insurance-market-worth–32-47-billion-globally-by-2027-at-23-76-cagr-verified-market-research-301181491.html.Google Scholar
• Wang J, Chaudhury A, Raghav Rao H (2008) Research note – A value-at-risk approach to information security investment. Inform. Systems Res. 19(1):106–120.Link, Google Scholar
• Wang T, Kannan KN, Ulmer JR (2013) The association between the disclosure and the realization of information security risk factors. Inform. Systems Res. 24(2):201–218.Link, Google Scholar
• Whitman ME, Mattord HJ (2012) Principles of Information Security, 4th ed. (Course Technology Cengage Learning, Boston).Google Scholar
• Yue WT, Cakanyildirim M (2007) Intrusion prevention in information systems: Reactive and proactive responses. J. Management Inform. Systems 24(1):329–353.Crossref, Google Scholar
• Zhao X, Xue L, Whinston AB (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. J. Management Inform. Systems 30(1):123–152.Crossref, Google Scholar
• Zoidze A, Rukhazde N, Chkhatarashvili K, Gotsadze G (2013) Promoting universal financial protection: Health insurance for the poor in Georgia – A case study. Health Res. Policy Syst. 11(45).Google Scholar